This can be tested on any and all systems with [[pkgdb:libcap-ng|libcap-ng-utils]] installed.

This can be tested on any and all systems with [[pkgdb:libcap-ng|libcap-ng-utils]] installed.

+

# System directories should have permissions of 0555. These are: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /lib64, /usr/lib, /usr/lib64 and /root.

+

# /etc/shadow & gshadow should have permissions of 0000

# netcap should not show any common apps with full privs, DAC_OVERRIDE, or SETUID capabilities.

# netcap should not show any common apps with full privs, DAC_OVERRIDE, or SETUID capabilities.

# pscap should not show any common apps with full privs, or SETUID.

# pscap should not show any common apps with full privs, or SETUID.

−

# Exceptions to the rule would be login and cron type applications - sshd, login, gdm, kdm, and crond for example.

+

# Exceptions to the rule would be login and cron type applications - sshd, login, gdm, kdm, and crond for example. Also the following apps are not confinable: console-kit-daemon, cups, postfix, rsyslog, auditd, audispd. The following have not been looked at: udev, hal-*, NetworkManager, wpa-supplicant.

# Verify that a sysadmin logged in via e.g. ssh is still able to perform his/her "normal" activities

# Verify that a sysadmin logged in via e.g. ssh is still able to perform his/her "normal" activities

# Verify that sudo still works as before

# Verify that sudo still works as before

Line 65:

Line 66:

* dhclient/done https://bugzilla.redhat.com/show_bug.cgi?id=517649

* dhclient/done https://bugzilla.redhat.com/show_bug.cgi?id=517649

* gpm/done https://bugzilla.redhat.com/show_bug.cgi?id=517659

* gpm/done https://bugzilla.redhat.com/show_bug.cgi?id=517659

−

* bluetoothd/new https://bugzilla.redhat.com/show_bug.cgi?id=517660

+

* smartd/done https://bugzilla.redhat.com/show_bug.cgi?id=517728

−

* kerneloops/new https://bugzilla.redhat.com/show_bug.cgi?id=517672

+

* bluetoothd/done https://bugzilla.redhat.com/show_bug.cgi?id=517660

−

* dnsmasq/new https://bugzilla.redhat.com/show_bug.cgi?id=517727

+

* dbus/done https://bugzilla.redhat.com/show_bug.cgi?id=518541

−

* smartd/new https://bugzilla.redhat.com/show_bug.cgi?id=517728

+

−

* dbus/new https://bugzilla.redhat.com/show_bug.cgi?id=518541

+

== Packages Modified without tracker bz ==

== Packages Modified without tracker bz ==

Line 75:

Line 74:

* setroubleshoot-2.2.21-2

* setroubleshoot-2.2.21-2

* openswan-2.6.22-1

* openswan-2.6.22-1

+

* irqbalance-0.55-24

== Release Notes ==

== Release Notes ==

−

* Daemons running as root have been reviewed and patched to run with lower process capabilities. This reduces the desirability of using these daemons for privilege escalation.

+

* Daemons running as root have been reviewed and patched to run with lower process capabilities. This reduces the desirability of using these daemons for privilege escalation. Additionally, the shadow file permissions have been changed to 000 and several directories in $PATH have been set to 555 in order to prevent daemons without DAC_OVERRIDE from being able to access the shadow file or write to the $PATH directories.

When someone attacks a system, they normally can't do much unless they can escalate privileges. What this feature will do is reduce the number of attack targets that can be used to escalate privileges. If root processes do not have all capabilities, they will be harder to use to subvert the system.

But if some does successfully attack a root process, can steps be taken to render it hard to take advantage of? The answer is yes. Processes with the root uid can still damage a system. This is because they can write to nearly any file and of course read the /etc/shadow file. But if we harden the system so that root requires the DAC_OVERRIDE capability, then only a limited number of processes can damage the system. This won't affect any admin abilities because they always get full privileges which includes DAC_OVERRIDE.

A hardened system would have permissions like: 555 /bin, 555 /lib, 000 /etc/shadow and so on. The current scope is to cover the directories in $PATH variable, library dirs, /boot, and /root. This scheme does not affect selinux in any way and complements it since capabilities are DAC controls and they have first vote on allowing an access.

I have created a new app, netcap, that can show network facing apps that have privilges. I would like to reduce capabilities on everything that is in the minimal platform install to start with and then work outwards to daemons that are commonly used. These apps will be patched to use the libcap-ng program to lower capabilities.

Next, I would like to use the pscap program to find apps that have privileges that are not network facing. They should drop capabilities, too.

Lastly, I would like to change the default permissions of a lot of directories to require DAC_OVERRIDE to write into. Certain trusted databases in the /etc directory tree should also be set for 0000 permissions.

Of particular concern is the /etc/resolve.conf file. We do not want to give DAC_OVERRIDE to any network facing daemons as they will be attack targets. So we will need to move resolve.conf to a directory owned by a dedicated acct that any dhcp clients would run under. They will be able to write the file. There should probably be a symlink to the old location during transition so that systems still work.

System directories should have permissions of 0555. These are: /bin, /sbin, /usr/bin, /usr/sbin, /lib, /lib64, /usr/lib, /usr/lib64 and /root.

/etc/shadow & gshadow should have permissions of 0000

netcap should not show any common apps with full privs, DAC_OVERRIDE, or SETUID capabilities.

pscap should not show any common apps with full privs, or SETUID.

Exceptions to the rule would be login and cron type applications - sshd, login, gdm, kdm, and crond for example. Also the following apps are not confinable: console-kit-daemon, cups, postfix, rsyslog, auditd, audispd. The following have not been looked at: udev, hal-*, NetworkManager, wpa-supplicant.

Achieving this for the minimal install is within reach. Anything beyond that is really icing on the cake. The granularity of the project is at the package level and not finishing would just leave some apps working like they always did. We can fix them some other day.

Daemons running as root have been reviewed and patched to run with lower process capabilities. This reduces the desirability of using these daemons for privilege escalation. Additionally, the shadow file permissions have been changed to 000 and several directories in $PATH have been set to 555 in order to prevent daemons without DAC_OVERRIDE from being able to access the shadow file or write to the $PATH directories.